[Dovecot] catching authentication failures with LDAP backend

Udo Rader listudo at bestsolution.at
Sat Dec 6 16:52:07 EET 2008 

Hi,

we have recently been hit by a couple of brute force password attacks 
against dovecot. So what I want to do now is to add dovecot to fail2ban 
in order to block further attacks.

However, I don't seem to be able to find out password verifification 
failures for our LDAP based user data.

The only thing I see are loads of lines like these in the logfiles:

-------CUT-------
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<ludovic>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>, 
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
-------CUT-------

Googling the web I found that PAM based authentication obviously gives a 
matchable error message, but for some reasons the ldap backend does not 
- or does it?

Any pointers highly appreciated :-)

dovecot -n says this:

-------CUT-------
# 1.0.15: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: imaps imap pop3
listen: 81.16.98.99
ssl_listen(default): 81.16.98.99
ssl_listen(imap): 81.16.98.99
ssl_listen(pop3):
ssl_cert_file: /etc/bestsolution/ssl/mail.bestsolution.at-cert.pem
ssl_key_file: /etc/bestsolution/ssl/mail.bestsolution.at-key.pem
ssl_parameters_regenerate: 24
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 9
mail_access_groups: mail
mail_privileged_group: mail
default_mail_env: mbox:~/mail/:INBOX=/var/mail/%u
mail_location: mbox:~/mail/:INBOX=/var/mail/%u
mmap_disable: yes
lock_method: dotlock
maildir_copy_with_hardlinks: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %v.%u
auth default:
   mechanisms: plain digest-md5 cram-md5 login
   passdb:
     driver: ldap
     args: /etc/dovecot/dovecot-ldap.conf
   userdb:
     driver: ldap
     args: /etc/dovecot/dovecot-ldap.conf
   socket:
     type: listen
     client:
       path: /var/spool/postfix/private/auth
       mode: 432
       user: postfix
       group: postfix
-------CUT-------

--
Udo Rader, CTO
http://www.bestsolution.at

More information about the dovecot mailing list